Website Policies

API Access & Usage Policy

Updated: 5th February 2026

This API Access & Usage Policy (the “Policy”) governs use of Fanvue’s application programming interfaces (the “API”). It applies to all requests made with an API Key issued by Fanvue.

This Policy supplements the General Terms & Conditions and other applicable Fanvue Policies. If there is any conflict between this Policy and the General Terms, the terms of this Policy shall prevail for the specific subject matter it governs.

All defined terms used herein shall have the meaning assigned in the General Terms & Conditions, unless otherwise stated.

DEFINITIONS

API Key” means a unique credential issued by Fanvue, used to authenticate API requests. It must be sent in the X-Fanvue-API-Key header.

Scopes” means the fixed permissions associated with an API Key, which determine which endpoints and operations the key may access. Scopes are set when the key is issued and cannot be modified afterwards.

API Version” means the required version identifier for the API, sent in the X-Fanvue-API-Version header. The value must follow the format YYYY-MM-DD (e.g. 2025-06-26).

Rate Limit” means the maximum number of requests permitted per key within a defined window.

Supported Version” means an API Version that Fanvue currently supports. Fanvue may deprecate or sunset versions.

Third-Party Application” means an application registered on Fanvue that can request access to user accounts via OAuth authorisation. Also referred to as an “OAuth Application” or “Developer Application”.

Application Credentials” means the client ID, client secret, redirect URIs, and webhook callback URLs associated with a Third-Party Application.

1. ACCESS & AUTHORISATION

1.1 Authentication

  1. All secured endpoints require the header X-Fanvue-API-Key.
  2. Keys are validated for format, hashed, and matched against Fanvue records. Revoked keys are rejected.
  3. On successful authentication, the request context is associated with the issuing user and the key’s scopes.

1.2 Authorisation

  1. Endpoints declare required Scopes. Access is granted only if the API Key’s Scopes include the required set.
  2. Requests without valid credentials or sufficient permissions will return a 401 Unauthorized or 403 Forbidden response status code, as appropriate.

1.3 API Versioning

  1. The header X-Fanvue-API-Version is required on requests in the format YYYY-MM-DD.
  2. Fanvue may reject unsupported or sunset versions and require an upgrade to a Supported Version.
  3. Version lifecycle follows: Active → Deprecated → Sunset.
  4. Deprecation is communicated via RFC 8594 standard headers:
    1. Deprecation: Indicates when the version was deprecated.
    2. Sunset: Specifies when the version will stop working.
    3. X-Fanvue-API-Next-Version: Recommends the migration path.

2. API KEY MANAGEMENT

  1. API Keys are issued to a specific Fanvue user account and are non-transferable. Only one active API key per user is permitted at any time.
  2. Keys can be obtained and managed at https://www.fanvue.com/api-keys.
  3. Keys are stored hashed and cannot be retrieved after creation. Keys can be revoked at any time, with revocation taking immediate effect.
  4. Scopes are fixed when the key is issued and cannot be modified after creation.
  5. Fanvue may record API usage metadata (e.g. key identifier, method, path, timestamps) for security, audit, and operational purposes in accordance with our Privacy Policy.

3. TECHNICAL REQUIREMENTS

  1. Required headers on secured endpoints:
    1. X-Fanvue-API-Key: a valid, unrevoked key.
    2. X-Fanvue-API-Version: the requested API Version (e.g. 2025-06-26).
  2. Requests must be made over HTTPS. Plain HTTP is not permitted.
  3. Clients must handle error responses appropriately:
    1. 400 Bad Request: Invalid request (e.g., unsupported API version, malformed parameters). Check the error message and API documentation for details.
    2. 401 Unauthorised: Missing or invalid authentication.
    3. 403 Forbidden: Insufficient permissions for the requested endpoint.
    4. 410 Gone: API version permanently removed (includes nextVersion field).
    5. 429 Too Many Requests: Rate limit exceeded (includes Retry-After header).

4. PERMITTED USE

  1. Subject to Scope, the API enables the following operations:
    1. Users: Reading current user details.
    2. Chats: Listing chats, retrieving chat messages, creating new chats, sending messages, sending mass messages, deleting messages, and updating chat properties.
    3. Posts: Creating new posts.
    4. Custom Lists: Listing custom lists and members, creating lists, renaming lists, deleting lists, adding members to lists, and removing members from lists.
    5. Media & Vault: Creating multipart upload sessions, obtaining signed URLs for uploads, completing upload sessions, creating vault folders, renaming vault folders, deleting vault folders, adding media to folders, and removing media from folders.
    6. Tracking Links: Listing tracking links, creating tracking links, and deleting tracking links.
    7. Creators: Reading followers and subscribers.
    8. Insights: Reading earnings data, top-spending fans, and subscriber counts.
    9. Agencies: Managing creators, creator-specific chat operations (creating chats, sending messages, sending mass messages), creator media uploads, creating posts for creators, managing tracking links for creators, and accessing creator analytics.
  2. The API provides both read and write access depending on your authorised Scopes. Write operations modify data on the Platform and should be used responsibly.
  3. Pagination and filtering may apply as documented for each endpoint.
  4. API access is controlled and may be limited to whitelisted or approved users during rollout.

5. PROHIBITED USE

  1. Calling secured endpoints without a valid API Key or with an invalid format.
  2. Accessing endpoints without the necessary Scopes.
  3. Exceeding Rate Limits or failing to respect Retry-After guidance.
  4. Attempting to subvert authentication, authorisation, versioning controls, or rate limiting.
  5. Misusing or sharing API Keys. Keys must be kept confidential and secure.
  6. Any use contrary to the Acceptable Use Policy or this Policy.
  7. Creating Third-Party Applications at the request, instruction, or encouragement of any third party. Applications must only be created by and for the developer who will operate and control them.
  8. Sharing Application Credentials (including client secrets, redirect URIs, or webhook callback URLs) with any third party, or configuring these to point to domains or services not under your direct control.
  9. Providing instructions, tutorials, or encouragement to others to create applications or share credentials in a manner that violates this Policy.

6. RATE LIMITS & FAIR USAGE

  1. Default limit: 100 requests per 60 seconds per API Key (subject to change or per-route overrides). The request bucket refills completely every 60 seconds.
  2. Responses include standard rate limit headers when applicable:
HeaderMeaning
X-RateLimit-LimitTotal request capacity for the current window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix time (seconds) when the window resets
  1. When limits are exceeded, the API returns 429 Too Many Requests status code and may include:
    1. Retry-After header: seconds until another request may be attempted.
  2. Implement exponential backoff and honour Retry-After header to avoid throttling.
  3. Fanvue may tune limits per route or client and may enforce stricter limits for stability.

7. DATA & PRIVACY

This section explains data protection responsibilities in connection with the API. For details on how Fanvue collects, processes, and protects personal data, see our Privacy Policy.

7.1 App Builder Data Protection Responsibilities

If you build or operate a Third-Party Application that accesses user data through the API, you become a data controller (or data processor, depending on your relationship with users) for any personal data you access, store, or process. You are responsible for:

  1. Having a valid legal basis for processing personal data (e.g., user consent, legitimate interest, or contractual necessity).
  2. Implementing appropriate technical and organisational security measures to protect personal data.
  3. Not retaining personal data longer than necessary for the purposes disclosed to users.
  4. Responding to data subject access requests (DSARs) for any personal data you hold.
  5. Notifying Fanvue promptly at support@fanvue.com of any data breach involving Fanvue user data.
  6. Maintaining your own privacy policy that clearly explains how you collect, use, store, and share personal data obtained through the API.
  7. Not sharing personal data with further third parties without appropriate legal basis and safeguards.
  8. Complying with all applicable data protection laws, including UK GDPR, EU GDPR, and any other relevant legislation.
  9. Processing personal data only for purposes disclosed to users at the time of authorisation.
  10. Ensuring any international data transfers you make comply with applicable data protection laws.

Fanvue does not monitor or guarantee App Builder compliance with data protection laws. Users who authorise access to Third-Party Applications do so at their own risk.

7.2 User Responsibilities (OAuth Authorisation)

When you authorise a Third-Party Application to access your Fanvue account via OAuth, you acknowledge and accept that:

  1. You are granting the Third-Party Application access to your account data as described in the requested Scopes.
  2. The App Builder (not Fanvue) controls how your data is used, stored, and shared after authorisation.
  3. Fanvue’s responsibility for your data ends once it is shared with the Third-Party Application.
  4. You are responsible for reviewing the Third-Party Application’s permissions and privacy policy before granting access.
  5. You can revoke access at any time via Settings → Account → Third Party Apps Consent.
  6. You should only authorise Third-Party Applications from developers you trust.
  7. Fanvue does not endorse, verify, or guarantee the security or compliance of Third-Party Applications.

7.3 Third-Party Users

Third-Party Applications may process data relating to individuals who are not Fanvue users (e.g., recipients of messages sent via integrations, or users of external platforms connected to the API). For such individuals:

  1. Fanvue has no direct relationship with these individuals and is not the data controller for their data.
  2. App Builders are solely responsible for the lawful collection, processing, and protection of such data.
  3. App Builders must ensure compliance with all applicable data protection laws regarding these individuals.
  4. Fanvue bears no liability for how App Builders handle data relating to non-Fanvue users.

7.4 External Integrations & Liability Limitations

If you use the API to integrate with external services, platforms, or applications (e.g., Slack, Zapier, CRMs, social media platforms, AI services, or other third-party tools), you acknowledge and accept that:

  1. External Terms Compliance: You are solely responsible for ensuring your use of Fanvue data complies with the terms of service, acceptable use policies, and privacy policies of any external platforms.
  2. Prohibited Use by External Platforms: If an external service prohibits automated access, certain data uses, or integration with platforms like Fanvue, you are solely responsible for any consequences of non-compliance.
  3. Data Shared Externally: Once data leaves Fanvue through the API, Fanvue is not liable for its subsequent use, storage, disclosure, or security by you, App Builders, or any external services.
  4. No Guarantee of App Builder Compliance: Fanvue does not verify, endorse, or guarantee that Third-Party Applications comply with applicable laws, external platform terms, or industry standards.
  5. Downstream Processing: Fanvue is not responsible for any further sharing, processing, or misuse of data by App Builders, their integrations, or external services.
  6. Third-Party Security: Fanvue is not responsible for the security practices, data breaches, or failures of external services or App Builders.

You agree to indemnify and hold harmless Fanvue, its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including legal fees) arising from:

  1. Your misuse of the API or violation of this Policy.
  2. Your violation of any external platform’s terms of service or policies.
  3. Your failure to comply with applicable data protection laws.
  4. Any claims by third parties (including data subjects) relating to your processing of personal data obtained through the API.

7.5 Your Data Protection Rights

Under UK and EU data protection law, you have rights regarding your personal data held by Fanvue, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. For full details of your rights and how to exercise them, see our Privacy Policy.

For personal data held by App Builders, you must contact the App Builder directly to exercise your rights. Fanvue cannot access, modify, or delete personal data held by third parties.

8. INTELLECTUAL PROPERTY

  1. The API, its specification, and related documentation are owned by or licensed to Fanvue.
  2. This Policy does not grant any IP rights beyond those necessary to consume the API as permitted by your Scopes and the General Terms & Conditions.

9. RESALE & REUSE

  1. Reselling, sublicensing, or redistributing API access, data, or responses to third parties is not permitted unless expressly authorised by Fanvue.
  2. Additional restrictions may apply under the Acceptable Use Policy and other Platform terms.

10. SECURITY REQUIREMENTS

  1. Always use HTTPS and secure, up-to-date TLS configurations.
  2. Store API Keys securely:
    1. Use environment variables or secure secrets management systems.
    2. Never hardcode keys in source code.
    3. Do not embed keys in client-side code or expose them publicly.
    4. Do not commit API keys to publicly accessible version control repositories (e.g., GitHub).
  3. Rotate Keys periodically and immediately if compromise is suspected.
  4. Monitor API usage for unexpected activity.
  5. Handle error responses gracefully and remediate underlying causes before retrying.
  6. Do not attempt to bypass security controls or versioning requirements.
  7. Third-Party Application Security:
    1. Never create a Third-Party Application at the instruction of another person, service, or chatbot. Legitimate services will have their own registered developer application.
    2. Never share your Application Credentials with anyone. If a service asks you to create an app and provide them with credentials, this is likely fraudulent.
    3. Only configure redirect URIs and webhook callbacks that point to domains you own and control.
    4. If you are a user (not a developer), you should connect to third-party services via the standard “Connect with Fanvue” OAuth flow, not by creating your own application.
  8. Regularly review connected third-party applications at Settings → Account → Third Party Apps Consent. Revoke access for any applications you do not recognise or no longer use.
  9. If you suspect your Application Credentials have been compromised or shared:
    1. Immediately revoke third-party access at Settings → Account → Third Party Apps Consent.
    2. Delete any compromised applications at Creator Tools → Build → [Select App] → Delete.
    3. Report the incident to Fanvue at support@fanvue.com.
  10. Be alert to social engineering attacks. Common tactics include:
    1. Chatbots or automated services asking you to create an application “for them”.
    2. Promises of AI-powered features, automation, or analytics in exchange for creating apps.
    3. Instructions to share redirect URIs, webhook URLs, or client secrets.
    4. Pressure to act quickly or share the service with other creators.
  11. Report suspected social engineering attempts or fraudulent services to Fanvue immediately.

11. TERMINATION, SUSPENSION & VERSIONING

  1. Fanvue may suspend or revoke API access at any time for policy breaches, abuse, risk, or operational reasons.
  2. Keys may be revoked individually by Fanvue or at your request; revocation takes immediate effect.
  3. Fanvue may deprecate or sunset API Versions. Clients must upgrade to Supported Versions within timelines communicated by Fanvue.
  4. Fanvue may apply throttling or other protective measures to preserve Platform integrity.
  5. Fanvue may take immediate action, including suspension or termination, against accounts involved in credential sharing, social engineering, or facilitating unauthorised access to other users’ accounts.

Need Help?

If you have questions about any of our policies or need assistance:

Fanvue reserves the right to amend this Policy from time to time. The latest version will always be accessible at legal.fanvue.com, and significant changes will be communicated where required.